Well, the minimal security sandbox is largely complete. I've added
fine-grained permissions to most parts of Trac that made sense (ie.
mostly where they already existed).
I'd like to get some feedback on whether you think this is a good
initial approach. I think it is, mainly because it's backward
compatible with almost zero impact, while still providing a high degree
of control over access to resources.
More discussion here:
http://projects.edgewall.com/trac/wiki/PermissionPolicy
Example of testing permissions:
Trac [/home/athomas/projects/trac/env/security]> permission test anonymous
WIKI_DELETE
Default denied.
Trac [/home/athomas/projects/trac/env/security]> permission test anonymous
WIKI_MODIFY wiki:SandBox
Allowed by policy trac.perm.DefaultPermissionPolicy
Trac [/home/athomas/projects/trac/env/security]> permission test anonymous
MILESTONE_VIEW milestone:milestone1
Denied by policy foo.Deny666
Trac [/home/athomas/projects/trac/env/security]> permission test anonymous
MILESTONE_VIEW milestone:milestone2
Allowed by policy trac.perm.DefaultPermissionPolicy
--
Evolution: Taking care of those too stupid to take care of themselves.
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev
